From: Juergen Repp <juergen_repp@web.de>
To: Lennart Poettering <mzgcz2gff@0pointer.net>, tpm2@lists.linux.dev
Subject: Re: Using TPM2_LoadExternal() for loading an HMAC key into the TPM?
Date: Tue, 16 Apr 2024 16:23:49 +0200 [thread overview]
Message-ID: <4fa1f7ed-cbe7-4fbe-84d9-d73b7a91fd7a@web.de> (raw)
In-Reply-To: <Zh53rw5o97SVXZWT@gardel-login>
Hello,
the error is caused by:
.parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
TPM2_ALG_HMAC, TPM2_ALG_XOR, and TPM2_ALG_NULL are possible selectors for TPMU_SCHEME_KEYEDHASH.
The hash alg has to be set with:
.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA256,
Unfortunately the error message for this error is only displayed if log level debug is activated.
Juergen
Am 16.04.24 um 15:05 schrieb Lennart Poettering:
> Hi!
>
> I was wondering, if anyone has an idea how precisely to set up a pair
> of TPM2B_PUBLIC and TPM2_SENSITIVE structures for loading an
> HMAC-SHA256 key into the TPM via TPM_LoadExternal()?
>
> I am currently setting things up more or less like this:
>
> TPM2B_PUBLIC auth_hmac_public = {
> .size = sizeof(TPMT_PUBLIC),
> .publicArea = {
> .type = TPM2_ALG_KEYEDHASH,
> .nameAlg = TPM2_ALG_SHA256,
> .objectAttributes = TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SIGN_ENCRYPT /* | TPMA_OBJECT_USERWITHAUTH */,
> .parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
> .unique.keyedHash.size = buffer.size,
> },
> };
>
> TPM2B_SENSITIVE auth_hmac_private = {
> .size = sizeof(TPMT_SENSITIVE),
> .sensitiveArea = {
> .sensitiveType = TPM2_ALG_KEYEDHASH,
> .sensitive.sym.size = buffer.size,
> },
> };
>
> memcpy(auth_hmac_private.sensitiveArea.sensitive.sym.buffer, buffer.buffer, buffer.size);
>
> And then use TPM2_LoadExternal() with this, for the NULL hierarchy.
>
> tpm2-tss responds with these errors:
>
> ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:184:Esys_LoadExternal_Async() SAPI Prepare returned error. ErrorCode (0x0009000b)
> ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:85:Esys_LoadExternal() Error in async function ErrorCode (0x0009000b)
>
> But, uh, what am I supposed to make of this?
>
> I figure it's not even the TPM that refuses this, but it's tpm2-tss
> already?
>
> Anyone has an idea?
>
> (Background: I am trying to protect an nvindex that I want to use with
> TPM2_AuthorizeNV, with an TPM2_PolicySigned access policy. I want to
> use an HMAC key for the signature scheme. If you want to know even
> more, see → https://github.com/systemd/systemd/pull/31790. The above
> is more or less a copy of the topmost commit of that)
>
> Any help appreciated!
>
> Lennart
>
prev parent reply other threads:[~2024-04-16 14:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 13:05 Using TPM2_LoadExternal() for loading an HMAC key into the TPM? Lennart Poettering
2024-04-16 14:23 ` Juergen Repp [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fa1f7ed-cbe7-4fbe-84d9-d73b7a91fd7a@web.de \
--to=juergen_repp@web.de \
--cc=mzgcz2gff@0pointer.net \
--cc=tpm2@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox